Discover Chairman and CEO David Nelms recently announced that Discover would be transiting from chip + signature to chip + PIN during the Electronic Transactions Association’s TRANSACT 16 meeting in Las Vegas. From a consumers stand point this means that when they make a purchase they will be required to insert their chipped card into the payment terminal and then enter a PIN code, rather than signing their name.
Credit card issuers and merchants have been pushing the transition to chipped cards due to the liability shift that occurred in October of last year, because of the October liability shift last year. The liability shift can be simply explained as follows:
[T]he party that is the cause of a chip-on-chip transaction not occurring (i.e., either the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud
losses. – Visa
There are significant advantages to using a PIN over a signature though. For starters consumers are able to use their chip + PIN cards in countries where this is the standard (they are able to sign for these transactions as well, but this can be difficult to explain to cashiers in countries where chip + PIN is the standard. Signature transactions also won’t work for automated kiosks at places like train stations). EMV + PIN also reduces the amount of fraud. According to this white paper total fraud losses on signature based transactions per dollar volume were .13 percent or 13 basis points. PIN-based transactions .035 percent or 3.5 basis points.
One thing that consumers should be aware of is how their zero liability protection works. Typically if an unauthorized transaction is made on your credit card, you’re not responsible for this transaction and will have it refunded. In some cases PIN transactions are specifically excluded from this zero liability protection, as far as I can see all of the major payment networks (Visa, Mastercard, Discover, American Express) no longer exclude PIN transactions, but this could be different at the card issuer level. Zero liability will also not cover you if you haven’t exercised care to safeguard your card and PIN (e.g if your PIN is 0000 or 1234 you usually will not be covered).
Barclaycard is currently the only major credit card issuer that offers chip + PIN cards as standard. At the moment Discover have not released a timeline for their switch to PIN cards. What are your thoughts about the changes? Are you a fan of chip + PIN or is it just one more number to forget?
That didn’t happen
Will this really happen? It’s a pain that I used the discover card in China and I was asked for a pin. But I do not have it.
Why on Earth aren’t they trying to be ahead of all other US banks / catch up with all the modern world and issue contactless + PIN cards?
Wow. Discover enters modern times. Maybe. . . maybe. . . someday Discover’s developers will master the sub-remedial ability to allow customers to login to its website/apps with one login (two cards and one CD account: three usernames, three logins, and developers declare: “yeah. . . too bad for the customers”
Actually, I signed up my Discover banking using my Discover card login back in 2014, and it works with just one login. Maybe you can chat with them to merge them?
The transition in the US from chip and signature to chip and PIN can’t come soon enough, mostly because it’s harder for a crook to “forge” your PIN than it is to forge your signature.
As for security for US travelers in Europe with American chip cards, I find it awkward to have to sign the receipt. Essentially all US card issuers have their cards default to signature while the client is in Europe. This makes it difficult for ordinary merchants as their clerks have to be trained to understand that the POS is not asking for a PIN, and the clerk has to go out and find a pen to hand to the American client. Worse yet is that having to sign vs. using a PIN marks the client immediately as an American, which could be dicey for Americans in shops staffed with clerks from Mollenbeek or St. Denis, which I ran into more than I expected.
I was disappointed to find last summer that the only places in Europe where I could use my PIN with my Barclaycard or USAA card were railway stations’ ticket machines. I did not use my Chase chip credit cards anywhere as they are not PIN for purchase enabled, so Chase lost out on its potential share of credit card transaction revenue.
I was very happy to be among the first users, back in late 2012, of chip and PIN USAA credit cards then defaulting to PIN, where POS enabled. USAA’s later changing to default signature, following the lead of other US banks, was not at all well received by me or by others who wanted and got one of the first US chip cards. What a true lack of foresight on USAA’s part.
Oh, that magnetic stripe is so easily duplicated, so it has to go soon too.
I use a Barclay card when I travel overseas, specifically for this reason. I only had to use the true chip-and-pin feature twice (the default is chip and signature) but when I did it was extremely useful. The first time I used it to buy train tickets in Europe, from a terminal, and my family and I had just 5 minutes to catch that train. The second time it happened when buying fuel from a gas station in a very remote part of Iceland. No other options were available and the weather was terrible so it would have been a very big pain to try to find an alternative.
Since my Barclay card has a annual fee I’m looking forward to having a non-fee alternative from Discover.
I love this. Especially due to the hassle of chip+sig on recent trips to the UK and Australia. Merchants there all seemed befuddled when the terminal told them to obtain a signature from me. And 95% of the time, I had to dig up my passport so they could verify the signature. Having it default to a pin would be much easier.
Chip-and-Pin is no doubt the safest, many papers have shown it reduces fraud significantly and it is the main reason it is widely used in other western countries. It sucks that we’ve still to catch up.
Def a good move on Discover’s part, but until mos of our stores’ POS systems process pin transactions, not sure how much of a practical impact this will have for American consumers.
Target is prob the exception of the major US retailers here. Still suffering from 2013 data breach, they implemented chip-and-pin since late last year, even got Amex to re-issue Redbird (Prepaid REDcard) cards as chip-and-pin for new registrations since last year. By the end of June 2016 old non-EMV Redbirds will be automatically invalidated, Amex mailed in chip replacement cards for Redbird holders (more details here: https://goo.gl/Jmbzgm).
I meant Target was still suffering image-wise in 2015 (which translates to $ loss, I’m sure) from their 2013 data breach. When it comes to security, I think Target is among the most secure retailers now…once bitten.
Recently they disallowed changing your email address on your Target.com login. Hopefully as a precaution, not due to a vulnerability (maybe ITs can chime on on this). I asked one of their reps via an online chat if they would change it upon consumer request, he said no, it is a firm policy, you’d have to create a new Target.com account if you want to use a diff email address.
Your writing style is horrendous to read.
What part of it did you find “horrendous?”
Technically, one doesn’t read the writing *style,* but the writing itself. So your attempt to troll just backfired on you. Have a nice day.
Probably, the fact, that he doesn’t, know how to use, commas. I was aggravated as well.
John, I can’t read (or hear) myself from a third-person point of view, so thanks for the feedback. I’d appreciate something more specific so I know what you mean.
My Suntrust card is Chip + PIN and I find it really comforting to have the added layer of security.
So what if I have a unique pin and my card is still replicated (progress moves at both ends, hackers just adapt) – will I get stuck with a charge with no right to dispute? That blows.
Not sure I understand why people are associate the liability shift to the consumer. it is a shift of liability from almost exclusively being on the card issuer (your bank) to being shared with the merchant (the company accepting the card).
As far as the PIN goes, I think anything that reduces the cost to these companies is better for consumers. Not every penny saved goes back to the consumers, but it certainly frees up the issuers to come up with better offers, etc. Even though fraud is a faction of a percent, it is a very expensive fraction.
Good news is that no one is replicating the secure layer on a properly implemented EMV card. It’s NP-Hard (computer science speak for it’ll take so long for me to compute it, that we might as well call it forever).
There have already precedents in Europe of “unhackable” chip-n-pin card ##s being stolen and the banks had people stuffed with the unauthorized charges. That is why I’m wary.
The crypto used in EMV is RSA with 1984 bit keys and a variant of triple DES. That means integer factorization is sufficient to break the security, but integer factorization is not known to be NP-hard.
Funny you mention NP-Hard problems. Crypto systems based on NP-Hard problems have a pretty poor track record (Merkle–Hellman springs to mind).